In January, I upgraded to 100M fibre, and paid upfront for the year (RMB2800).<\/p>\n
While I was on vacation, my FTTB at home stopped working, so we called Shanghai Telecom.<\/p>\n
What had actually happened was that there was a screwup with the account setup, and they’d put me on a monthly bill *and* 100M.
\nAfter 6 months, they decided that I hadn’t paid my bill, and cancelled my 100M fibre account!
\nStaff eventually sorted it out, and Telecom gave us a 6 month credit.
\nEven so, I ended up coming back to a crappy E8 wifi + modem setup and my router set to use DHCP. <\/p>\n
The Shanghai Telecom unit was setup for a maximum of 16 wifi devices, and uPNP was disabled, sigh.<\/p>\n
I prefer to use my own equipment, as I generally don’t gimp it, so I called Telecom to ask for my “new” account details so I could replace it.<\/p>\n
Unfortunately the technician had changed the password, and the 10000 hotline didn’t have the new pass, or the LOID.<\/p>\n
I called the install technician who’d installed it in my absence, but he wasn’t very helpful, and told me I couldn’t have it. Surprise…<\/p>\n
What to do.<\/p>\n
I took a look at their modem, and thought it should be fairly easy to try get the details from it.<\/p>\n
Did a bit of googling, and found that it had an accessible serial port, so opened up the unit, and connected it up.<\/p>\n
After a bit of cable fiddling, got a connection @ 115200 \/ 8n1<\/p>\n
Cable pinout should be –
\nGND | MISSING PIN | TX | RX | VCC<\/p>\n
I’ll add some photos later.<\/p>\n
With some more fiddling around, I got terminal access (accidentally!) with some prudent Ctrl C\/ Ctrl Z’ing during the boot process as something crashed and I got a terminal prompt.
\nIts vxware, although the boot process does look quite linuxy.<\/p>\n
Lots of interesting commands..<\/p>\n
\r\n > ls -al\r\ntelnetd:error:341.568:processInput:440:unrecognized command ls -al\r\n > help\r\n?\r\nhelp\r\nlogout\r\nexit\r\nquit\r\nreboot\r\nbrctl\r\ncat\r\nloglevel\r\nlogdest\r\nvirtualserver\r\nddns\r\ndf\r\ndumpcfg\r\ndumpmulticfg\r\ndumpmdm\r\ndumpnvram\r\nmeminfo\r\npsp\r\nkill\r\ndumpsysinfo\r\ndnsproxy\r\nsyslog\r\necho\r\nifconfig\r\nping\r\nps\r\npwd\r\nsntp\r\nsysinfo\r\ntftp\r\nvoice\r\nwlctl\r\nshowOmciStats\r\nomci\r\nomcipm\r\ndumpOmciVoice\r\ndumpOmciEnet\r\ndumpOmciGem\r\narp\r\ndefaultgateway\r\ndhcpserver\r\ndns\r\nlan\r\nlanhosts\r\npasswd\r\nppp\r\nrestoredefault\r\npsiInvalidateCheck\r\nroute\r\nsave\r\nswversion\r\nuptime\r\ncfgupdate\r\nswupdate\r\nexitOnIdle\r\nwan\r\nbtt\r\noam\r\nlaser\r\noverhead\r\nmcpctl\r\nsendInform\r\nwlanpower\r\nzyims_watchdog\r\natbp\r\nctrate\r\ntestled\r\nipversionmode\r\ndumptr69soap\r\nlan2lanmcast\r\ntelecomaccount\r\nwanlimit\r\nnamechange\r\nuserinfo\r\nlocalservice\r\ntcptimewait\r\natsh\r\noption125Mode\r\neponlinkper\r\nsetponlinkuptime\r\nloidtimewait\r\nphonetest\r\n <\/pre>\nFirst up, dump the nvram<\/p>\n
\r\n> dumpnvram\r\n============NVRAM data============\r\nnvramData.ulVersion=6l\r\nnvramData.szBootline=e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0 c= a= \r\nnvramData.szBoardId= XPT2542NUR\r\nnvramData.ulMainTpNum=0l\r\nnvramData.ulPsiSize=64l\r\nnvramData.ulNumMacAddrs=10l\r\nnvramData.ucaBaseMacAddr=??Umo\r\nnvramData.pad=\r\nnvramData.ulCheckSumV4=0l\r\nnvramData.gponSerialNumber= \r\nnvramData.gponPassword= \r\nnvramData.cardMode=-1\r\nnvramData.cardNo= 000000000000000000\r\nnvramData.userPasswd=telecomadmin31407623\r\nnvramData.uSerialNumber=32300C4C755116D6F\r\nnvramData.useradminPassword=62pfq\r\nnvramData.wirelessPassword=3yyv3kum\r\nnvramData.wirelessSSID=ChinaNet-WmqQ\r\nnvramData.conntrack_multiple_rate=0\r\n============NVRAM data============\r\n<\/pre>\nNice, got the router admin pass already.
\n– nvramData.userPasswd=telecomadmin31407623
\n(user is telecomadmin).<\/p>\nI actually needed the login details, this turned out to be via <\/p>\n
> dumpmdm <\/pre>\nThis dumped a rather large xml style file with some interesting bits<\/p>\n
[excerpted are some of the good bits – the whole file is huge]
\n
\n
\nFALSE<\/FtpEnable>
\ne8ftp<\/FtpUserName>
\ne8ftp<\/FtpPassword>
\n21<\/FtpPort>
\nTRUE<\/FtpChanged>
\nFALSE<\/FtpAllowWanAccess>
\nTRUE<\/TelnetEnable>
\ne8telnet<\/TelnetUserName>
\ne8telnet<\/TelnetPassword>
\n23<\/TelnetPort>
\nFALSE<\/TelnetAllowWanAccess>
\nadmin<\/ConsoleUserName>
\nv2mprt<\/ConsolePassword>
\n <\/X_CT-COM_ServiceManage>
\n<\/code><\/p>\nHmm, telnet, and a password!
\nTelnet is not enabled by default, nor is FTP.<\/p>\nIt also had the pppoe user\/pass which was what I was looking for, and the LOID, which I needed to stick into my modem.
\nScore.<\/p>\nWhile that was pretty much all I needed, I decided to enable Telnet and FTP to play around.<\/p>\n
Ok, so how do we enable telnet?<\/p>\n
\r\n > localservice\r\nusage:\r\n localservice show: show the current telnet\/ftp service status.\r\n localservice telnet enable\/disable: set the telnet service enable or disable.\r\n localservice telnetAccess enable\/disable: allow access telnet in wan side or not.\r\n localservice ftp enable\/disable: set the ftp service enable or disable.\r\n localservice ftpAccess enable\/disable: allow access ftp in wan side or not.\r\n\r\n > localservice telnet enable\r\n \r\n> localservice show\r\nCurrent local services status:\r\nFtp Service: Disable\r\nFtp Allow Wan Access: No\r\nTelnet Service: Enable\r\nTelnet Allow Wan Access: No\r\n \r\n> localservice ftp enable\r\n\r\n> localservice show\r\nCurrent local services status:\r\nFtp Service: Enable\r\nFtp Allow Wan Access: No\r\nTelnet Service: Enable\r\nTelnet Allow Wan Access: No\r\n > save\r\nconfig saved.\r\n\r\n<\/pre>\nreboot the modem, and see if we can login via ethernet<\/p>\n
\r\ntelnet 192.168.1.1\r\nTrying 192.168.1.1...\r\nConnected to broadcom.home.\r\nEscape character is '^]'.\r\nBCM96838 Broadband Router\r\nLogin: telecomadmin\r\nPassword: \r\nLogin incorrect. Try again.\r\nLogin: e8telnet\r\nPassword: \r\n > \r\n<\/pre>\nCool, so we now have full access to the device.<\/p>\n
There also seems to be a remote monitoring system config’d via devacs.edatahome.com, which maps to a Shanghai Telecom ip.<\/p>\n
\r\nhttp:\/\/devacs.edatahome.com:9090\/ACS-server\/ACS<\/URL>\r\n http:\/\/devacs.edatahome.com:9090\/ACS-server\/ACS<\/LastConnectedURL>\r\n hgw<\/Username>\r\n hgwXXXX1563<\/Password>\r\n<\/pre>\n and something else called itms.<\/p>\n
\r\nitms<\/ConnectionRequestUsername>\r\n itmsXXXX5503<\/ConnectionRequestPassword>\r\n<\/pre>\n I’ve XXX’d out some of the numbers from my own dump, as I suspect its device \/ login specific.<\/p>\n
I got what I needed though, which was admin access to the modem, despite Shanghai Telecom not telling me.<\/p>\n
Would really be nice if they just gave you the PPPoE user\/pass and LOID, but that would be too easy…<\/p>\n
On my modem, the following were the default passwords:<\/p>\n
Console Access (via serial port)<\/p>\n
User: admin
\nPass: v2mprt<\/p>\nOnce in console, you can enable Telnet and FTP.<\/p>\n
Telnet (not enabled by default)
\nUser: e8telnet
\nPass: e8telnet<\/p>\nFTP (not enabled by default)
\nUser: e8ftp
\nPass: e8ftp<\/p>\nTo show the http password from console (either local, or via telnet).
\ndumpnvram<\/p>\nurl: http:\/\/192.168.1.1
\nhttp user: telecomadmin
\nhttp pass: (as per nvram, mine was telecomadmin31407623 )<\/p>\nOnce in you can see all the important bits. Probably easier to grep the xml file from<\/p>\n
dumpmdm<\/p>\n
Took me about an hour or so to get to that point, I’m running on my own equipment again, and its not gimped. Worth my time!<\/p>\n
<\/code>
<\/p>\n","protected":false},"excerpt":{"rendered":"In January, I upgraded to 100M fibre, and paid upfront for the year (RMB2800). While I was on vacation, my FTTB at home stopped working, so we called Shanghai Telecom. What had actually happened was that there was a screwup with the account setup, and they’d put me on a monthly bill *and* 100M. After […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48,282,25,4],"tags":[500,497,307,197,498,499,156],"class_list":["post-1488","post","type-post","status-publish","format-standard","hentry","category-exploits","category-firmware-2","category-technical-mumbo-jumbo","category-useful-info","tag-e8","tag-epon","tag-fibre","tag-firmware","tag-loid","tag-modem","tag-shanghai-telecom"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=1488"}],"version-history":[{"count":2,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1488\/revisions"}],"predecessor-version":[{"id":1490,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1488\/revisions\/1490"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=1488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=1488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=1488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}